Section XI: Information Technology

Information technology law in Canada covers a wide range of legal rules and practices, many of which are discussed elsewhere in this Guide, related to activities and transactions involving software, hardware, databases, electronic communications, the internet and other information technologies.

This section is a summary of some of the key legal issues under Canadian information technology law that one needs to consider when doing business in Canada.

1. Information Technology Contracting in Canada

1.1 - What terms are generally negotiated?

In Canada, information technology contracts generally specify each party’s obligations (such as delivery, performance, payment and confidentiality obligations) ownership and licence rights (including scope of use), acceptance tests and procedures, source code escrow (if applicable), representations, warranties, indemnities, limitations on liability and disclaimers. Disclaimers and limitation of liability clauses in information technology contracts can help minimize risks. However, it is important to note that there are some peculiarities in Canadian law that may render such clauses unenforceable and require careful drafting and review by Canadian counsel.

1.2 - Assignments and licences

In Canada, assignments and licences of intellectual property rights should be in writing and should be registered with the Canadian Intellectual Property Office. Note that an author’s moral rights, which exist under the Copyright Act, cannot be assigned but must be waived. See Section X, “Intellectual Property.”

1.2.1 - Are software licences assignable and capable of being sublicensed?

A software licence may be viewed by Canadian courts as “personal” and thus not be assignable or capable of being sublicensed to third parties unless the licence contains the express permission by the licensor to do so. In addition, confidentiality restrictions and limitations on licence scope can also affect the transferability of a licence agreement. This is an important point to keep in mind when doing due diligence in any Canadian commercial acquisition.

1.2.2 - Are shrink-wrap, click-wrap and browse-wrap licences enforceable in Canada?

Off-the-shelf computer programs that are accompanied by “shrink-wrap” licences and online “click-wrap” and “browse-wrap” agreements have received mixed enforceability before Canadian courts due to the requirement in Canadian law that both parties must assent to a contract in order for it to be binding on them. Such agreements have been enforced where the purchaser was impressed with the knowledge of the terms at the time of sale or the website owner has given proper notice of the terms before the parties entered into their agreement. They have also been enforced with proof of established prior business conduct or by the subsequent conduct of the user.

1.3 - Applicability of sale of goods legislation

1.3.1 - Are information technology purchases sales of goods?

If a transaction for the acquisition of information technology falls within the scope of provincial sale of goods legislation, certain rights and obligations will follow. Canadian courts tend to treat computer system acquisitions as sales of goods while transactions involving pure service, maintenance, custom training or programming are generally characterized as incidental to the sale of goods and therefore not subject to sale of goods legislation. Pre-packaged software supplied pursuant to a licence agreement is not subject to sale of goods legislation as no property in the software is transferred to the licensee. An exception occurs where the software is provided in conjunction with a larger transaction involving the sale of goods (e.g., hardware).

1.4 - Consumer protection

1.4.1 - How do consumer protection laws affect internet business and e-commerce?

Certain provinces have enacted consumer protection legislation that prescribes various requirements that must be met for internet sales contracts, such as the disclosure of relevant information and the delivery of a copy of the contract to the consumer. The federal government has also released a code of conduct for businesses engaging in electronic commerce transactions with consumers. See Section IV, “Trade and Investment Regulation.”

2. Intellectual Property Rights in Information Technology

2.1 - Copyright

2.1.1 - What information technology is protected by copyright?

Copyright is currently a primary source of protection for software programs, user manuals, databases, websites and other information technology works in Canada, provided that they meet the requirements of the federal Copyright Act. To be the subject-matter of copyright, the work must be “original,” meaning that it originated from the author and that skill and judgment were used in its creation. Further, for a work to garner copyright protection in Canada it must be fixed. The fixation requirement with respect to information technology is generally easily met. As of December 30, 2022, the term of copyright protection in Canada has extended to 70 years; this 20-year extension is not retroactive.

Computer programs are protected under the Copyright Act as literary works. Canadian courts have recognized that the writing of a computer program uses sufficient skill and judgment and therefore computer programs will typically meet the minimal originality requirement to obtain protection under the Copyright Act. Updates or enhancements to software are subject to independent copyright protection. The fact that a computer program is created using well-known programming techniques or contains unoriginal elements may not be a bar to copyrightability if the program as a whole is original.

Computer hardware designs and plans have also received copyright protection in Canada. Further, any software code stored on the hardware may be subject to copyright. Computer chips may be subject to integrated circuit topography protection. See Section XI.2.2, “Integrated circuit topographies.”

In addition, courts in Canada have held that a web page’s look, layout and appearance are protected by copyright, as are underlying elements that would otherwise qualify for copyright protection, such as text or musical works.

Once the legal requirements are met, the copyright holder has a variety of rights including the right to reproduce, perform, communicate the work, or authorize any of those acts. An unauthorized act of making a work available online, including via download or stream, and any subsequent unauthorized streaming or downloading of a work, is considered to be infringing the author’s copyright.

2.1.2 - Who owns the copyright in information technology?

As discussed in Section X, “Intellectual Property,” the author of an information technology work is generally considered to be the first owner of the copyright in it. An exception to this rule is where the author is an employee and the work is created in the course of employment, (in the absence of an agreement to the contrary, the first owner of the copyright is the employer not the employee). A written assignment agreement is considered essential where works are created using non-employee third parties.

Certain discussions have commenced regarding whether an artificial intelligence (AI) system could be considered an author or the owner of a work. The Government of Canada published in July 2021 a consultation paper discussing the issue and requesting submissions. Although Canadian jurisprudence would suggest that the author must be a natural person, the Canadian Intellectual Property Office has for the first time registered a copyright for an artistic work with one of the two co-authors being an AI program. However, in this case the registered owner was still a natural person. We are awaiting the result of the government’s public consultation.

2.1.3 - Can databases receive copyright protection? What criteria must be met?

Under the Copyright Act, databases are given protection as “compilations.” The Supreme Court of Canada has ruled that, to receive copyright protection, databases must be independently created by the author, and the selection and arrangement of the components that make up the database must be the product of an author’s exercise of skill and judgment. The exercise of skill and judgment must not be so trivial so as to be characterized as a purely mechanical exercise. However, “creativity,” in the sense of novelty or uniqueness, is not required. In addition, the creator of the database only acquires copyright in the database and not in the individual components of the database.

2.1.4 - What information technology is not protected by copyright?

Canadian copyright law does not protect the underlying mathematical calculations, algorithms, formulae, ideas, processes, or methods contained in information technology, only the expression of the same.

2.2 - Integrated circuit topographies

Integrated circuit topographies (or computer chips) are protectable in Canada by the Integrated Circuit Topography Act. See Section X, “Intellectual Property.”

2.3 - Trade secrets

Information technology, including but not limited to a formula, pattern, compilation, program, method, technique, or process, may also be protected under trade secret law where duties of confidence exist either at law or by virtue of an agreement, which must be reasonable to be enforceable. See Section X, “Intellectual Property.”

2.4 - Trademarks

Trademarks can be used to protect the goodwill associated with the names, slogans, symbols, and other marks used by businesses in the information technology industry. Trademark rights arise under the federal Trademarks Act and at common law. Significant amendments were introduced to the Trademarks Act in 2014. A few minor amendments came into force in 2015, while the most important amendments came into force in June 2019. These amendments include the elimination of the requirement that a mark be used in Canada or abroad before registration. Trademark protection is limited to the goods or services listed in the application, making it important to consider what a business plans to use the trademark for. This includes software, apps and virtual goods. See Section X, “Intellectual Property.”

2.4.1 - How are domain names protected?

Domain names may garner trademark rights if they meet the statutory or common law requirements for trademarks. Thus, it has been possible to register a domain name as a word or standard character mark. Trademark owners may be able to obtain relief in Canada for cybersquatters under trademark law and the Canadian Internet Registration Authority’s alternative dispute resolution process (where the dispute is in respect of a .ca domain name). For generic domain names, the rules promulgated by the Internet Corporation for Assigned Names and Numbers will apply.

2.4.2 - What risks do metatags pose?

Canadian courts have held that the use of metatags (i.e., tags or key words in a website’s coding that are used by search engines to sort web pages) that are confusingly similar to another person’s trademarks may constitute trademark infringement.

As for the use of keyword advertisement, such as Google AdWords, the Québec Superior Court and the British Columbia Court of Appeal have found that bidding on a keyword is not in and of itself an infringement of the Trademarks Act. Such practice is seen as generally legitimate and provides greater choice to consumers, as opposed to creating confusion. However, sponsored links on search pages resulting from keyword advertisements can infringe the Trademarks Act if such links are confusingly similar to another person’s trademarks.

2.5 - Patents

In Canada, to obtain patents on information technology inventions one has to meet the statutory requirements of the federal Patent Act. On June 22, 2023, the Act to implement certain provisions of the budget tabled in Parliament on March 28, 2023 (Bill C-47) received royal assent to bring a system of general patent term adjustment into Canada that will compensate patentees for any unreasonable delays in granting the patent. See Section X, “Intellectual Property” for further information.

2.5.1 - Is software and other information technology patentable in Canada?

The Canadian Intellectual Property Office routinely issues patents for software-based inventions, particularly methods performed using computer-executable instructions that operate with some hardware elements or that focus on the systems, processes and methods used to achieve a solution to a specific technical problem, rather than on the algorithm per se. Furthermore, the Canadian Federal Court of Appeal ruled that an online method of doing business included patent-eligible subject matter. However, computer programs are not patentable in Canada if they only perform a series of mathematical calculations or if they relate to an abstract idea.

2.5.2 - Can an AI be considered an inventor under Canadian patent law?

The Canadian Patent Office received a patent application with an AI system listed as the inventor. Known as DABUS and described as a "creativity machine," the applicant Stephen L. Thaler had originally listed the machine as the inventor in the 2019 application. A letter of non-compliance was sent to the applicant clarifying that it does not appear possible for a machine to have rights under Canadian law or have the capacity to transfer said rights to a human. A full decision has yet to be decided by the Canadian Patent Office, however the inventor section of the application has since been changed to "unknown." Numerous other patent applications with DABUS listed as the inventor have already been rejected in other jurisdictions, including Australia, the United States, the United Kingdom, as well as by the European Patent Office Board of Appeal.

3. Criminal Law Issues Relating to Information Technology

3.1 - Offences under the Criminal Code

In Canada, offences under the Criminal Code directly dealing with information technology include:

Theft of computer data
Defrauding the public of any property, money, or valuable security by deceit, falsehood or other fraudulent means using computers
Use of a computer in an unauthorized manner or to possess an instrument for that purpose (i.e., hacking)
Mischief in relation to computer data (i.e., distributing computer viruses)
Trafficking in unauthorized passwords

There are several other criminal offences under the Criminal Code and the Copyright Act, which may indirectly involve information technology.

3.2 - Lawful access

Lawful access generally refers to the interception of communications and the search and seizure of information carried out by law enforcement agencies pursuant to legal authority, including under the Criminal Code. Significant changes were introduced to lawful access legislation in 2015. Among other changes, certain Criminal Code provisions dealing with the interception of communications were amended by giving law enforcement new powers to collect electronic evidence in the context of an investigation.

In particular, these changes introduced a preservation demand and preservation order which enable law enforcement officials to demand or order third parties who possess or control computer data, including internet service providers, to preserve computer data for 21 to 90 days. In addition, new production orders for historical transmission data and tracking data were introduced, as well as requirements for real-time transmission data and tracking data, which allow law enforcement officials to retrace an individual’s web patterns and to remotely activate existing tracking devices (e.g., in vehicular GPS). It is important to note that in certain cases, the demands, orders or warrants created by these changes are subject to a threshold of “reasonable grounds to suspect” rather than the higher threshold of “reasonable grounds to believe.”

3.3 - Reasonable expectation of privacy in an IP address

Section 8 of the Canadian Charter of Rights and Freedoms guarantees that everyone has the right to be secure against unreasonable searches or seizures, establishing a reasonable expectation of privacy. With time, this right has expanded to include various technologies, such as your personal computer and subscriber information that is attached to an individual's assigned IP address. However, in Alberta this right no longer encompasses merely an IP address. Since an IP address is an abstract number that does not provide any core biographical or confidential information, alone it has no reasonable expectation of privacy. Albertan police officers can now obtain IP addresses without any judicial authorization, but still need to serve internet service providers in order to receive sensitive information.

4. Cryptography Controls

4.1 - Are there restrictions on using encryption in Canada?

Other than export controls, and subject to any applicable intellectual property, confidentiality and criminal law issues, businesses and consumers in Canada are free to develop, import and use whatever encryption technology they wish.

5. Privacy and Data Protection

As discussed in Section IX, “Privacy Law,” the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and the provincial private-sector privacy legislation in some provinces impose conditions on the collection, use and disclosure of personal information by organizations in the course of commercial activity.

These laws contain requirements for the protection of personal information within the control of an organization, including security measures to prevent unauthorized access, collection, use, disclosure, modification, destruction, and other similar acts. There may also be requirements in the event of a data breach. Businesses that collect, use or disclose personal information must comply with PIPEDA and/or the applicable provincial private-sector legislation.

The federal government also enacted the Digital Privacy Act in June 2015, which sets forth obligations on private-sector companies aimed at ensuring that consumers’ personal information remains protected online. All provisions of the Digital Privacy Act are now in force, including those outlining data breach notification and reporting requirements.

In addition to the pre-existing obligations applicable to private-sector companies, on June 16, 2022, the federal government introduced a proposed law titled An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts (Bill C-27). The second reading of the bill occurred on April 24, 2023. The new statutory framework proposed in Bill C-27 governs private sector personal information protection practices and, if passed, would enact the three new statutes. Particularly, The Consumer Privacy Protection Act (CPPA) would repeal and replace Part 1 of the Personal Information Protection and Electronic Document Act. Part 2 of PIPEDA will be renamed to An Act to provide for the use of electronic means to communicate or record information or transactions, or the Electronic Documents Act. The Personal Information and Data Protection Tribunal Act would establish an administrative tribunal to review certain decisions made by the Privacy Commissioner of Canada and make orders for contraventions of the CPPA.

On September 22, 2021, the Quebec Government adopted Bill 64, An act to modernize legislative provisions as regards the protection of personal information. This bill presents significant changes to the requirements governing the use and protection of personal information under various Quebec provincial statutes (including the distinct laws that apply to private sector entities and to public sector entities). There will be new obligations imposed on businesses operating in Quebec, some of which came into force in September 2022, while the rest will follow throughout 2023 and 2024. Notably, public and private entities must now report data breach incidents and organizations must appoint a privacy officer. The fines for noncompliance with privacy legislation have also increased as of September 2022, in both the public and private sectors. For more information about these requirements, see Section IX, “Privacy Law.”

6. Electronic Evidence

6.1 - Is electronic evidence admissible in court?

In Canada, electronic evidence is admissible in the courts provided that it meets the rules found in the common law and applicable statutes such as the federal and provincial Evidence Acts and the Rules of Civil Procedure. These rules include: (i) authentication by the party tendering the evidence; (ii) integrity of the system used and the method of record keeping, information storage, and retrieval; (iii) originality; and (iv) reliability.

Canadian courts have admitted electronic evidence where it accurately and fairly represented the information it purported to convey. Finally, Canadian courts have permitted the use of the internet in court and have admitted the contents of websites.

7. Electronic Contracting

7.1 - Are electronic signatures and documents valid in Canada?

In Canada, at both the federal and provincial/territorial levels, a series of e-commerce legislation has given statutory recognition to the legal effect of most types of electronic signatures and documents (with some exceptions such as wills, negotiable instruments and land transfers) that meet the requirements set out in the applicable statutes and regulations.

It is important to verify the validity of these documents as there can be variations in each jurisdiction. For example, British Columbia is now the first province to permit electronic wills.

Attention should also be given to the conduct of the parties, taking into consideration whether a reasonable person would infer their intention to be bound by an agreement. This includes informal interactions which may be enough to denote acceptance of an agreement. This was the case in a trial court where a thumbs-up emoji was enough to enforce the disputed agreement.

8. French Language Issues

8.1 - Must websites and information technology contracts be translated into French?

The province of Quebec has language laws that may impact electronic contracting and websites by requiring a French version to be made available if the parties or transactions involved have a Quebec connection, such as an office or employees located in Quebec. As well, the Charter of the French Language includes obligations for various communications, including commercial advertising, to be in French. It also imposes specific requirements for certain contracts of adhesion, which contracts and related documents (such as the information found on a transactional website including terms of service) must first be provided to the adhering party in French. Failure to comply with this requirement could render the contract null or non-enforceable against the adhering party.

8.2 - Must software be translated into French?

Under Quebec’s language laws, all computer software sold in Quebec must be available in French, unless no French version of it exists. Software may be available in languages other than French, provided that the French version can be obtained on terms that are no less favourable and that it has technical characteristics that are at least equivalent. In addition, the software must meet the French language packaging and labelling requirements.

9. Jurisdiction and the Internet

9.1 - Where are electronic contracts formed?

In Canada, the issue of where electronic contracts is considered to be formed has not yet conclusively been determined and the answer may be different from one province to another. Unlike taxes, which Canadian courts have held to be “instantaneous” in some circumstances and thus formed when and where the offeror receives notice of the acceptance, it is not clear whether electronic communication such as emails or contracts formed on a website are instantaneous. The Canadian e-commerce legislation (see Section XI.7.1, “Are electronic signatures and documents valid in Canada?”) provides some guidance as to when and where electronic documents are presumed to be received. However, the mere posting of information on a website may not be sufficient to deliver that information to another person. In addition, the exchange of emails discussing a contract or a contractual relationship may not be sufficient to form a contract.

9.2 - Can foreign websites and internet transmissions be subject to Canadian laws?

A court can exercise jurisdiction in Canada if there is a “real and substantial connection” between the subject matter of the litigation and the jurisdiction. Generally speaking, the courts have found that the more active a website or its owner’s activity is in Canada, or if the website or business activity targets persons in Canada, it will be subject to Canada’s laws. The fact that the physical location of a website or its server is outside Canada will not immunize the website owner from legal consequences in Canada.

Recently, the Supreme Court of Canada upheld an injunction granted on a worldwide basis against a leading search provider, demonstrating that Canadian courts can extend their reach and subject global websites to Canadian laws.

The Supreme Court of Canada has also applied the “real and substantial connection” test in determining jurisdiction in online copyright matters. The application of the Copyright Act depends on whether there is a real and substantial connection between the internet transmission and Canada. This test turns on the facts of each case and relevant connecting factors include the situs of the content provider, host server, intermediaries and end user.

9.3 - Can parties to an online contract choose the governing law and forum?

In Canada, the parties to an online contract have, subject to certain exceptions (for example consumer protection), the right to choose the governing law of the contract, the exclusive court in which disputes are to be heard, and to exclude the application of conflict of laws principles. However, the Canadian courts have found that such clauses cannot be used to oust the jurisdiction of a substantially connected province. The Supreme Court of Canada has also recently stated that, irrespective of the validity of a governing law clause, courts may find such a clause unenforceable for policy reasons; for example, if there is a strong public interest in having a decision heard in Canada or if there is extreme inequality in the bargaining position of parties to a contract.

10. Internet Regulation

10.1 - Are internet activities regulated in Canada?

The Canadian Radio-television and Telecommunications Commission (CRTC) is the body responsible for regulating broadcasting and telecommunications in Canada. It regulates certain types of internet businesses and activities in Canada. For instance, if an internet business qualifies as a “telecommunications services provider” i.e., by offering voice or data telecommunications services, under the Telecommunications Act, it may be subject to telecommunications regulation, which may impact its operations, ownership, facilities, rates and services. The CRTC also regulates the sending of certain commercial electronic messages, discussed below.

In addition, the CRTC has been granted express powers to regulate certain audio and audiovisual content transmitted over the internet in Canada. In 2023, the Online Streaming Act (Bill C-11), amended Canada’s Broadcasting Act by introducing modernized provisions addressing internet-based broadcasting, including many on-demand video and audio streaming services and social media platforms. These amendments aim to reduce the regulatory asymmetry between traditional broadcasters and online broadcasters by expressly empowering the CRTC to subject online broadcasters to some of the same types of requirements imposed on traditional broadcasters. Online broadcasters had previously been exempted from CRTC regulation. Many of these requirements are currently the subject of regulatory consultations and have yet to be determined. However, the CRTC may require online broadcasters to showcase Canadian content or make expenditures or other contributions to support Canadian and Indigenous content. Bill C-11 has also expanded the CRTC’s enforcement tools, which now include administrative monetary penalties.

Note that there are currently no compulsory copyright licences available for retransmission of over-the-air broadcasts over the internet unlike conventional television. As a result, re-transmitters have to negotiate copyright licences with all rights holders to broadcast works. It is not uncommon, however, for third parties to unlawfully distribute certain broadcasts without the copyright holder’s consent, forcing those rights holders to request injunctions. These orders have been requested immensely following the 2019 Bell Media Inc. v. GoldTV.Biz case. The Federal Court of Canada has now granted its first order requiring internet service providers to block IP addresses in real time. Referred to as a dynamic site blocking order against internet service providers, this allows internet service providers to follow and continuously block illegally streamed content as it changes IP addresses. This order was granted in regard to the streaming of live hockey games.

2023 also saw the Online News Act (Bill C-18) receive royal assent. Bill C-18 requires certain large digital platforms to participate in a bargaining process related to their dissemination of news content online with certain news businesses, or groups of such news businesses. The bargaining process consists of a mandatory negotiation period, followed by mediation (if negotiations are unsuccessful), which may be followed by final offer arbitration (if mediation is unsuccessful). Bill C-18 has attracted significant attention, and its effects on the Canadian news industry are continually evolving.

Further, there are certain obligations that must be met under consumer protection laws when doing business with consumers on the internet. See Section XI.1.4, “Consumer protection” and Section XI.9.3, “Can parties to an online contract choose the governing law and forum?”

Also, many regulatory, licensing, registration and permit requirements are imposed in Canada by stock exchanges, securities commissions, the Office of the Superintendent of Financial Institutions, public health and safety boards, transportation safety commissions, competition boards, industry associations and a variety of other agencies and bodies that regulate different businesses and activities in Canada.

10.2 - What rules apply to online advertising?

The same basic rules that govern traditional advertising and marketing practices, including the Competition Act and the Criminal Code apply to all forms of internet advertising and marketing, such as deceptive prize notices, representations on websites and bulletin boards, or in emails, newsgroups and chat rooms. The Competition Bureau has prepared guidelines that address some of the ways in which these traditional rules are applied in the online context, including the use of disclaimers and hyperlinks, and the information that should be provided online when advertising products, services and businesses.

Canada’s Anti-Spam Legislation (CASL) introduces new civil and criminal provisions in the Competition Act, which regulate false and misleading representations and deceptive marketing practices in the electronic marketplace. For more details on CASL, see Section XI.10.3, “Is spam illegal in Canada?” and for more information on advertising regulations, see Section IV, “Trade and Investment Regulation.”

10.3 - Is spam illegal in Canada?

Designed as one of the most stringent anti-spam regimes in the world, CASL has a significant impact on the electronic communication practices of companies in Canada and foreign companies sending commercial electronic messages (CEMs) to recipients in Canada. Many of the provisions of CASL, including those dealing with CEMs, came into force on July 1, 2014, while the provisions dealing with the unsolicited installation of computer software came into force on January 15, 2015. CASL also restricts other activities, including the ability of businesses to alter transmission data in electronic messages.

Subject to certain exceptions set out in the law and its accompanying regulations, CASL prohibits the sending of CEMs to an electronic address unless: (1) the person to whom the message is sent has consented to receiving it; and (2) the message complies with prescribed form and content requirements. Among other requirements, express consent under CASL must be “opt-in,” meaning that an explicit and positive consent from an intended recipient of a CEM must be obtained before sending a message. This differs from the common industry practices of using an opt-out or negative option method of obtaining consent for marketing, such as a pre-checked consent box that a consumer has to un-check to signify they do not wish to receive marketing messages.

With respect to the unsolicited installation of computer programs, subject to limited exceptions, CASL prohibits installing, or causing to be installed, a computer program (which may include software updates and upgrades) on another person’s computer system including a laptop, smartphone, tablet, gaming console or other connected device in the course of commercial activity, without the express consent of the device owner or an authorized user. As with consent for sending CEMs, consent to the installation of computer programs must be “opt-in” and must be obtained in the prescribed manner. Disclosure requirements will also apply.

The potential penalties for non-compliance under CASL are significant and include administrative monetary penalties of up to C$1-million for individuals and C$10-million for corporations.

CASL also creates a private right of action for persons who have been affected by a contravention of any number of CASL’s provisions, including the anti-spam provisions. The provisions of the statute providing for a private right of action were originally scheduled to come into effect on July 1, 2017, but their enactment has now been suspended indefinitely. This suspension is welcome news for industry, which has been very concerned about lawsuits, including class actions, being instituted while industry struggles to understand and comply with the requirements of this legislation.

It should be noted that the Competition Act provisions dealing with the advertising of certain products, such as tobacco, or misleading advertising as well as the Criminal Code provisions dealing with fraud, authorized access and use of computers and mischief against data, could also apply against spammers. Various industry groups have established member codes and guidelines dealing with the distribution of promotional materials and enforcement.

PIPEDA and similar private-sector privacy legislation in some provinces (see Section IX, “Privacy Law”) may also affect spammers by imposing obligations on how personal information, which may include email addresses, is collected, used and disclosed in the course of commercial activity.

11. Liability of Internet Service Providers (ISPs)

11.1 - What risks of liability do ISPs face?

ISPs, and possibly their directors and officers, may be liable under contract, tort or statute, for various claims arising from the provision of their services.

11.2 - Does Canada have any laws that protect ISPs from liability?

Canada has not passed legislation providing blanket immunity to ISPs from liability, however, courts have generally not held them liable for the infringing activities of their users. In the area of copyright, the Supreme Court of Canada has concluded that ISPs, and other intermediaries, will not face liability for copyright infringement if they restrict their activities to providing a conduit for information and do not engage in acts that relate to content. The Supreme Court has also found that caching (the temporary storage of material by the ISP) is also a protected activity.

Canada’s Copyright Modernization Act codified the Supreme Court’s approach in 2012 by limiting the liability incurred for “providing services related to the operation of the internet or another digital network.” This limitation covers the activities of ISPs as well as those of persons who provide caching and hosting services. The Copyright Modernization Act also implements a “notice-and-notice” regime, under which ISPs are required to send notices of potential infringement received from copyright holders to their potentially infringing subscribers.

The province of Quebec’s Act to Establish a Legal Framework for Information Technology also establishes a regime for liability and some protection in certain circumstances for ISPs acting as intermediaries on communication networks. Following the coming into force of Bill 6, this law has recently been updated.

12. Artificial Intelligence

As discussed in section 5, if passed, Bill C-27 would significantly reform federal private-sector privacy law. This includes rules to regulate international and interprovincial trade and commerce in “high-impact” artificial intelligence (AI) systems under a new Artificial Intelligence and Data Act (AIDA). Among other things, AIDA would: establish a new AI and Data Commissioner to support the Minister of Innovation, Science, and Industry in enforcing AIDA and, make it an offence to make available or use an AI system that is likely to cause serious harms. Through its harm-based approach to regulating AI, AIDA would create new obligations applicable across Canada, for yet-to-be-defined “high-impact systems”.

13. Increase in cybersecurity risks

13.1 - How common are cyber attacks?

Over the past years, cyberattacks and the cost associated to them, have increased drastically for businesses.

Businesses should be on high alert and pay particular attention to ransomware attacks as they are among the most common and are typically the costliest. Threat actors have become ever more sophisticated in their attacks and thus the size of ransom payments made increases each year. In fact, ransom payments over US$100,000 have become increasingly common, with many payments even exceeding US$1-million (sometimes by a considerable amount). The actual costs of a cyberattack, regardless of whether a ransom is paid or not, can often easily run into millions of dollars when factoring in hard costs in addressing the cyberattack, lost revenues due to the disruption and the effect on reputation.

Over the past year, there has also been more concerns regarding the protection of data and personal information. Observations show that 77% of the time, threat actors were able to access sensitive information and, in 68% of the cases, able to remove the information from the organization.

With the increase in cyber attacks, business need to ensure they are diligent in their cybersecurity practices. Whether it is by choosing the right technology, keeping up with the best software and hardware practices or maintaining a security team, it is vital for businesses to have cybersecurity preparedness measures in place. For more details on cybersecurity, see the Blakes Canadian Cybersecurity Trends Study 2023.

13.2 - Do I have an obligation to report breaches?

The requirement to report a cybersecurity breach will depend on the specific circumstances of the incident. Reporting obligations can stem from privacy legislation to specific regulations that may apply in a particular field of business. Required or not, breach reports have been on the rise and legislative reforms have tilted in favor of mandatory reporting. In case of a breach or suspected breach, proactivity is key not only to reduce the risk of aggravating damages, but also to know what reporting obligations may apply. For more information about these requirements, see Section IX, “Privacy Law.”

13.3 - What are the cybersecurity considerations when acquiring a business?

Cyberattacks can result in major damage for a company, such as higher costs from operational disruption, altered business practices and reputational damage. Cybersecurity considerations are thus an important consideration for potential acquirers or investors of Canadian businesses.

Buyers can enhance their protection during a transaction by including cybersecurity concerns in the due diligence process and by negotiating certain contractual protections.

During the due diligence process, buyers should question the target company regarding its history with cyberattacks. A review of the target entity’s cybersecurity practices, data governance, policies and procedures should also be conducted.

The buyer can also negotiate contractual protections in relation to the purchase agreement or, holdback on the purchase price payable to the seller(s) to cover cybersecurity remediation costs post-acquisition.

13.4 - Are companies being held liable in class actions for data breaches?

Victims of data breaches have been coming forward to commence class action lawsuits against businesses who have been the target of various breaches of cyber attacks.

For any class actions to commence, the action must first be certified or authorized, depending on the jurisdiction. This first step allows a class action to commence. However, the merits of the action will only be dealt with in a later judgment.

It is not uncommon to see class actions seeking damages from a data breach to pass this first step. However, it is yet to be seen if and when businesses will be held liable.